I am going to put the spoiler warning right here in the first sentence: I am going to be talking about season two of Mr. Robot, and I'm not holding anything back. Read on if you have already watched it. If you haven't watched it, keep reading to see how life imitates art. And if not art, then at least a cable TV show. Those of you here at The State of Security likely need no introduction to this show. Amongst those in the online security circle whom I speak to, this show is a hit for a number of reasons. For one, it really does show some real-world hacker techniques in action. People who are not yet aware of digital security problems can view it and learn. Another big reason for the show's success is the incredible performance of Joey Bada$$, but that's a whole different issue… https://twitter.com/whoismrrobot/status/761019992561201157 Let's get into the digital security lessons from Mr. Robot.
1. The most dangerous threat is always an insider
Those whom you trust to be a member of your organization are those with the most access to your sensitive digital files. This is certainly the case with Allsafe, and their connection to the evil E Corp. Their main insider threat is, of course, Mr. Robot himself: Elliot. He uses his access to Allsafe's servers, and by extension E Corp., to turn Fsociety into the hacker organization it becomes. If Elliot had never been given his insider access, it is doubtful that this entire show could have ever happened. His insider knowledge is what propelled his hacking of E Corp. He could have still pulled off some of this, but he would've had nowhere near as much success. With enough time, a hacker can always find the flaws and... https://twitter.com/whoismrrobot/status/788779253206650881 Truly preventing insider threats is probably the most challenging thing that any company can face. Having a number of penetration testers from different companies test your defenses to identify weak spots is a no-brainer. You will also need to put tight controls on what information your employees can access while recording what goes in and out of your network.
2. The IoT poses a wide number of threats
Granted, there were some extenuating circumstances but in this season, we saw how weak security for the Internet of Things led to someone's death. I am talking, of course, about E Corp’s general counsel Susan Jacobs. The weakness of her IoT devices led to them being hacked, and to her being driven from her house. Fsociety then moved right on in, leading to her coming home later at a most inopportune moment. https://twitter.com/whoismrrobot/status/769296035910909958 The example in the show is pretty extreme. But it should illustrate to you the importance of paying attention to the security of your IoT devices. Take the time to research the apps that you download onto mobile devices and check to make sure that any IoT devices you purchase have some sort of protection.
3. The greatest exploits of all our people: Social engineering
Social engineering is a bit of a fancy way of saying tricking people. We see Angela use a little bit of social engineering when she plugs a Rubber Ducky into the computer of an employee of E Corp. Her goal is to steal some information for her lawsuit against them. But she faces an obstacle in order to do so: the secretary. She uses her insider knowledge of the company to convince the secretary that she should leave her desk and thus leave the computer Angela wants to target vulnerable. Elliot also uses a little bit of social engineering in episode 10 when he pretends to be an NYPD officer. He reads up on the emergency procedures online, downloads the form that he submits through a fax machine, and then uses social engineering to exploit a police operator's desire to do the right thing and help a person in danger. https://twitter.com/whoismrrobot/status/791653789820448768 The lesson that you need to learn here is that you should not give away any information to someone you do not trust. This frequently happens with people calling you and pretending to be your bank. They will put pressure on you stating that there are fraudulent transactions on your account, and they will try to use that pressure to get you to reveal information, such as your bank card number. When it comes to banking, it's a pretty safe bet that they should already know your bank card number. Hang up and then call them back at a number you trust.
4. Protecting mobile devices against vulnerabilities and malware
The best example of weak mobile device security happened during the hack of the FBI's temporary office in E Corp. This showed off an actual vulnerability in Android combined with the malicious use of a femtocell. It allowed Fsociety to intercept confidential calls that were then submitted to the public. https://twitter.com/whoismrrobot/status/763045062120996864 This scene was in no way an exaggeration. This can really work, and it's not outside the realm of possibilities for it to happen in a setting of corporate espionage. Making sure that your mobile device has all of the latest updates and patches is critical.
5. Start managing your passwords better already
Seriously, how long are '123456,' or 'password' going to be the most popular passwords? Or how long will people think its smart to write down your password on a Post-it note right next to your desk? Neither of these things is smart. And it is absolutely shocking that Susan Jacobs was guilty of writing down her password on a Post-it note. https://twitter.com/whoismrrobot/status/768634573366386690 You need to start creating passwords that have a variety of upper and lowercase letters, numbers and symbols. To help you create a variety of these passwords, try using a password management tool.
6. Please learn about how useful encryption is
Susan Jacobs may be the most pwned person of all time. Her IoT devices were taken over, Fsociety moved into her home and used it as a headquarters, and she didn't encrypt the files on her computer. That was her last mistake. Fsociety’s techniques were able to take information from her computer simply because she did not encrypt them. https://twitter.com/whoismrrobot/status/753414250643808258 Nearly every operating system has some sort of encryption on it for free. You can choose to either encrypt your entire device and unlock it using the passcode or only encrypt certain sensitive folders and files. Despite what your government is trying to tell you, encryption is not evil.
7. Ransomware is probably the realist of all threats
Cryptowall is a common piece of software that hackers use to infect networks. We see Darlene use a version of it in the first episode of season two in order to force E Corp. to pay a ransom. This is highly effective when you consider that E Corp. is already suffering from the deletion of all its backup copies in season one. This may just be the biggest ransomware of all-time, and they didn't even keep the ransom money… https://twitter.com/whoismrrobot/status/793120407616454656 Ransomware is an incredibly diverse attack tool. Having a complete digital security plan from top to bottom is the only sure way to avoid it. Here are four key points you need to cover:
- Create backups of everything.
- Be cautious of all suspicious links, and emails.
- Invest in anti-malware security software.
- If you suspect that you have been infected, shut down your entire network to prevent it from spreading even further.
These four points are not just good for preventing and recovering from ransomware; they are smart digital security tactics to use anyway. What do you think about how digital security was presented on Mr. Robot? And, more importantly, just how awesome was Joey Bada$$? https://twitter.com/whoismrrobot/status/766105893050212352
About the Author: Marcus Habert (@) is the online security writer and analyst for the Best VPN Provider Online Security and Privacy blog. Catch him there every Wednesday for the latest developments in the world of infosec. You can also join the team on Twitter for a constant stream of what’s happening in online security and hacks.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.